One document matched: draft-ietf-ipsp-ipsecpib-01.txt
Differences from draft-ietf-ipsp-ipsecpib-00.txt
ipsp working group Man Li
Internet Draft Nokia
Expires May 2001 David Arneson
No Affiliation
Avri Doria
Nortel Networks
Jamie Jason
Intel
Cliff Wang
SmartPipe
November 2000
IPSec Policy Information Base
draft-ietf-ipsp-ipsecpib-01.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
1. Abstract
This document specifies a set of policy rule classes (PRC) for
configuring IPSec policy at IPsec-enabled devices. Instances of
these classes reside in a virtual information store called IPSec
Policy Information Base (PIB). COPS protocol [COPS] with the
extensions for provisioning [COPS-PR] may be used to transmit this
IPSec policy information to IPSec-enabled devices (e.g., gateways).
The PRCs defined in this IPSec PIB are intended for use by the COPS-
PR IPSec client type. They complement the PRCs defined in the
Framework PIB [FR-PIB].
2. Conventions used in this document
Li, et al Expires January, 2000 1
IPsec Policy Information Base October, 2000
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119 [2].
3. Introduction
The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. They are
based on [IPSEC-IM] [IKE] [ESP] [AH] [DOI] [IPCOMP] [SPPI]. The rule
and role approach proposed in [PCIM], which scales to large
networks, is adopted for distributing IPsec policy over COPS
protocol.
There is an ongoing effort in defining IPSec configuration policy
model [IPSEC-IM]. The PIB defined in this document is not completely
aligned with the information model. As work goes on, they should be
aligned in the near future.
The PIB contained in this draft is written using SPPI as specified
in draft-ietf-rap-sppi-01.txt [SPPI]. It will be updated as SPPI
updates.
4. Operation Overview
Following the policy framework convention [PCIM], the management
entity that downloads policy to IPSec-enabled devices will be called
a Policy Decision Point (PDP) and the target IPSec-enabled devices
will be called Policy Execution Points (PEP).
On boot up, a PEP reports to a PDP, among other things, its role or
role combinations. The PDP then determines the IPSec PIB that should
be downloaded to the PEP according to the role description. Later
on, if the role of the PEP changes, the PEP would notify the PDP
with its new role and the PDP would send new PIB to the PEP. In
addition, if policy associated with a particular role changes, PDP
would download new PIB to all the PEPs that have registered with the
particular role.
IPsec policy that is pushed down to individual PEP consists of two
parts: IKE rules for IKE phase one negotiation and IPsec rules for
IKE phase two negotiation. These sets of rules may be pushed down
either together or independently. Hence a role is associated with
each set of rules. Figure 1 shows the relations between the tables
with an example.
+----------------------+ +------------------------+
| ipSecSelectorEntries | | ipSecRuleTableEntries |
| Group = 10 |< ------------SelectorGroupId = 10 |
Li, et al Expires January, 2000 2
IPsec Policy Information Base October, 2000
+----------------------+ | ActionGroupId = 20 |
| Role = Finance_X |
+------------------------+
|
|
v
+---------------------------+ +------------------------+
| ipSecIkeRuleEntries | | ipSecActionEntries |
| Prid = 30 | | GroupId = 20 |
| IkeEndpointGroupId = 40 | | Action = Tunnel |
| | < --------- IkeRuleId = 30 |
| | | Role = Finance_X |
+---------------------------+ +------------------------+
| \ |
| \ |
v \ v
+---------------------------+ \ ipSecAssociation
| ipSecIkeEndpointEntries | \ and subsequent
| | \ tables
| GroupId = 40 | \
+---------------------------+ \
v
ipSecIkeAssociations
and subsequent tables
When a PEP reports to a PDP its roles,
- if the corresponding policy consists of IPsec rules only (i.e.,
key management is not through IKE), the roles must match only those
in the ipSecRuleTable. In the ipSecActionTable referenced by the
ipSecRuleTable, the values of the ipSecActionIkeRuleId attribute
must be zero, indicating that no IKE associations are used. As a
result, the ipSecRuleTable and all subsequent referenced tables are
pushed down to the PEP.
- if the corresponding policy consists of IKE rules only, the roles
must match only those in the ipSecIkeRuleTable. The
ipSecIkeEndpointTable indicates the peer endpoints with which to
establish IKE associations. Hence, the ipSecIkeRuleTable and all
subsequent referenced tables are pushed down to the PEP.
- if the corresponding policy consists of both IPsec rules and IKE
rules (i.e., IKE association is established first and it is then
used for IPsec association negotiation), the roles must match those
in the ipSecRuleTable. Further more, in the ipSecActionTable
referenced by the ipSecRuleTable, the ipSecActionIkeRuleId
attributes must point to ipSecIkeRuleTable entries with the same
roles. In addition, if IPsec tunnel mode is required in an action,
the tunnel peer endpoint address must match an ipSecIkeEndpointId in
Li, et al Expires January, 2000 3
IPsec Policy Information Base October, 2000
the ipSecIkeEndpointTable. If, on the other hand, IPsec transport
mode is required, the peer endpoint address of the IPsec association
must match an ipSecIkeEndpointId in the ipSecIkeEndpointTable. The
ipSecRuleTable and the ipSecIkeRuleTable as well as all subsequent
referenced tables are pushed down to the PEP.
4.1 Selector construction
The ipSecAddressTable specifies individual or a range of IP
addresses and the ipSecL4PortTable specifies individual or a range
of layer 4 ports. The ipSecSelectorTable has references to these two
tables. Each row in the selector table represents multiple
selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four fields
together with the ipSecSelectorProtocol attribute to form a list of
five-tuple selectors
Selectors constructed from the same row inherit all the other
attributes of the row (e.g., ipSecSelectorGranularity)
The following is an example for building the selectors (only
relevant fields are shown). Suppose that the ipSecAddressTable is
populated with the following rows:
AddrMin AddrGroupId
1.2.3.4 1
1.2.3.18 1
5.6.7.1 2
5.6.7.8 2
For every row in this example, the AddrMax is a zero length octet
indicating that each row specifies a single IP address.
The Layer4PortTable is populated with the following rows:
PortMin PortMax PortGroupId
112 150 1
99 0 2
Li, et al Expires January, 2000 4
IPsec Policy Information Base October, 2000
The PortMax is zero in the second row indicating that a single port
is specified.
The ipSecSelectorTable is populated with:
SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order
1 2 1 1 udp 1
1 2 2 2 tcp 2
The following selectors are constructed:
srcAddr dstAddr protocol srcPort dstPort
1.2.3.4 5.6.7.1 UDP 112-150 112-150
1.2.3.4 5.6.7.8 UDP 112-150 112-150
1.2.3.18 5.6.7.1 UDP 112-150 112-150
1.2.3.18 5.6.7.8 UDP 112-150 112-150
1.2.3.4 5.6.7.1 TCP 99 99
1.2.3.4 5.6.7.8 TCP 99 99
1.2.3.18 5.6.7.1 TCP 99 99
1.2.3.18 5.6.7.8 TCP 99 99
The first four selectors are constructed from the first row of the
selector table whose order equals to 1. They may be ordered in any
way. However, all of them must be evaluated before the selectors
constructed from the second row because the order of the second row
equals to 2.
The use of references in the ipSecSelectorTable instead of spelling
out all the IP addresses and port numbers reduces the number of
bytes being pushed down to PEP. Grouping of IP addresses and layer
four ports serves the same purpose.
4.2 Start up condition
The establishment of IKE or IPsec associations may be triggered in
several ways as indicated by ipSecSelectorStartupCondition and
ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and
ipSecIkeEndpointTable respectively. The triggers may be:
OnBoot: IPsec or IKE association is established after system boot.
To avoid both endpoints trying to set up the same association, only
the endpoint whose ipSecSelectorIsOriginator
(ipSecIkeEndpointIsOriginator) is true can initiate the IPsec (IKE)
association establishment.
OnTraffic: IPsec association is established only when packets need
to be sent and there are no appropriate security associations to
protect the packets. If there is no IKE association to protect the
IPsec association negotiation, an IKE association should be set up
first.
OnPolicy: IPsec or IKE association is established according to
ipSecRuleTimePeriodSetTable referenced by the corresponding rule. At
Li, et al Expires January, 2000 5
IPsec Policy Information Base October, 2000
the time the policy becomes active, only the endpoint whose
ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true can
initiate the IPsec (IKE) association establishment.
These triggers are not mutually exclusive.
4.3 Multiple security associations, proposals and transforms
Multiple IPsec security associations may be established to protect
the same traffic between two end points. For example, to protect TCP
traffic between hosts A and B, an IPsec security association in
transport mode may be established between hosts A and B. In
addition, an IPsec security association in tunnel mode may be set up
between host A and gateway C that protects the LAN host B resides.
The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to
handle multiple security association establishments or actions. It
contains references to the actions specified in the
ipSecActionTable. All the actions in the ipSecActionTable whose
ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId must be
applied. The ipSecActionOrder indicates the order these actions
should be taken in setting up the security associations.
During a security association negotiation, the initiating point may
present multiple proposals in preference order. For IPsec security
association, every proposal may contain different protocols, e.g.,
AH, ESP (A single proposal here is equivalent to multiple proposal
payloads with the same proposal number as specified in [ISAKMP]).
Different protocols are ANDed. Each protocol, in turn, may contain
multiple transforms in preference order. The responder must select a
single proposal and a single transform for each protocol.
Multiple proposals are handled by the ipSecProposalSetTable and
ipSecIkeProposalSetTable. The ipSecProposalSetOrder and
ipSecIkeProposalSetOrder in these tables indicate preference.
Multiple transforms within a protocol are handled by
ipSecAhTransformSetTable, ipSecEspTransformSetTable and
ipSecCompTransformSetTable. The IpSecAhTransformSetOrder,
ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these
tables indicate preferences.
5. Summary of the IPSec PIB
The IPSec PIB consists of several groups that are summarized in the
following:
ipSecSelector Group
This group specifies the selectors for IPSec associations.
ipSecAssociation Group
Li, et al Expires January, 2000 6
IPsec Policy Information Base October, 2000
This group specifies attributes related to IPSec Security
Associations
IpSecIkeAssociation Group
This group specifies attributes related to IKE Security Associations
IpSecEspTransform Group
This group specifies attributes related to ESP Transform.
IpSecAhTransform Group
This group specifies attributes related to AH Transform
IpSecCompTransform Group
This group specifies attributes related to IPSecComp Transform
IpSecPolicyTimePeriod Group
This group specifies the time periods during which a policy rule is
valid.
6. The IPSec PIB
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE
FROM COPS-PR-SPPI
OBJECT-IDENTITY
FROM SNMPv2-SMI
TruthValue
FROM SNMPv2-TC
PolicyInstanceId, PolicyReferenceId, PolicyTagId, PolicyTagReference
FROM COPS-PR-SPPI;
RoleCombination
FROM POLICY-FRAMEWORK-PIB;
OBJECT-GROUP
From SNMPv2-CONF;
ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORY { tbd -- IPSec Client Type }
LAST-UPDATED "200010101800Z"
ORGANIZATION "IETF ipsp WG"
CONTACT-INFO "
Man Li
Nokia
5 Wayside Road,
Burlington, MA 01803
Phone: +1 781 993 3923
Email: man.m.li@nokia.com
Avri Doria
Nortel Networks
600 Technology Park Drive
Li, et al Expires January, 2000 7
IPsec Policy Information Base October, 2000
Billerica, MA 01821
Phone: +1 401 663 5024
Email: avri@nortelnetworks.com
Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
Phone: +1 503 264 9531
Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com
Cliff Wang
SmartPipes Inc.
Suite 300, 565 Metro Place South
Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com
DESCRIPTION
"This PIB module contains a set of policy rule classes that describe
IPSec policies."
::= { tbd }
ipSecSelector OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies selectors for IPSec associations. "
::= { ipSecPolicyPib 1 }
ipSecAssociation OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to IPSec Security
Associations"
::= { ipSecPolicyPib 2 }
ipSecIkeAssociation OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to IKE Security
Associations"
::= { ipSecPolicyPib 3 }
ipSecEspTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to ESP Transform"
::= { ipSecPolicyPib 4 }
ipSecAhTransform OBJECT-IDENTITY
Li, et al Expires January, 2000 8
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"This group specifies attributes related to AH Transform"
::= { ipSecPolicyPib 5 }
ipSecCompTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to IPSecComp Transform"
::= { ipSecPolicyPib 6 }
ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies the time periods during which a policy rule is
valid. "
::= { ipSecPolicyPib 7 }
ipSecPolicyPibConformance OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies requirements for conformance to the IPsec
Policy PIB"
::= { ipSecPolicyPib 8 }
--
--
-- The ipSecAddressTable
--
ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IP addresses"
INDEX { ipSecAddressPrid }
UNIQUENESS {
ipSecAddressAddressType,
ipSecAddressAddrMask,
ipSecAddressAddrMin,
ipSecAddressAddrMax,
ipSecAddressGroupId
}
::= { ipSecSelector 1 }
ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAddressTable 1 }
Li, et al Expires January, 2000 9
IPsec Policy Information Base October, 2000
IpSecAddressEntry ::= SEQUENCE {
ipSecAddressPrid PolicyInstanceId,
ipSecAddressAddressType INTEGER,
ipSecAddressAddrMask OCTET STRING,
ipSecAddressAddrMin OCTET STRING,
ipSecAddressAddrMax OCTET STRING,
ipSecAddressGroupId PolicyTagId
}
ipSecAddressPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecAddressEntry 1 }
ipSecAddressAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current
DESCRIPTION
"Specifies the address type. This also controls the length of the
OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and
ipSecAddressAddrMax objects.
IPv4 addresses (1)(4)(7) are octet strings of length 4.
IPv6 addresses (5)(6)(8) are octet strings of length 16.
Other type of addresses are octet strings of variable length."
::= { ipSecAddressEntry 2 }
ipSecAddressAddrMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A mask for the matching of the IP address. A zero bit in the mask
means that the corresponding bit in the address always matches. The
type of this address is based on the ipSecAddressAddressType. If
ipSecAddressAddressType is not IPv4 addresses (1)(4)(7) or IPv6
addresses (5)(6)(8), this attribute must be a zero length octet
string."
::= { ipSecAddressEntry 3 }
Li, et al Expires January, 2000 10
IPsec Policy Information Base October, 2000
ipSecAddressAddrMin OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies an end point address. The Length of the string is based
upon the address type. For IPv4 address types, this attribute is a
4-bytes octet string. For IPv6 address types, this attribute is a
64-bytes octet string. For other types of addresses, this attribute
is a variable length octet string.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecAddressAddrMask of all zero means a wild-carded address, i.e., all
addresses match."
::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"If a range of addresses are being used then this specifies the
ending address. The type of this address must be the same as the
ipSecAddressAddrMin. The Length of the string is based upon the
address type. For IPv4 address types, this attribute is a 4-bytes
octet string. For IPv6 address types, this attribute is a 64-bytes
octet string. For other types of addresses, this attribute must be a
zero length octet string.
If no range is specified then this attribute must be a zero length
octet string."
::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specifies the group this IP address,address range or subnet address
belongs to."
::= { ipSecAddressEntry 6 }
--
--
-- The ipSecL4PortTable
--
ipSecL4PortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecL4PortEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies layer four port numbers"
INDEX { ipSecL4PortPrid }
UNIQUENESS {
Li, et al Expires January, 2000 11
IPsec Policy Information Base October, 2000
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecSelector 2 }
ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecL4PortEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecL4PortTable 1 }
IpSecL4PortEntry ::= SEQUENCE {
ipSecL4PortPrid PolicyInstanceId,
ipSecL4PortPortMin INTEGER,
ipSecL4PortPortMax INTEGER,
ipSecL4PortGroupId PolicyTagId
}
ipSecL4PortPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecL4PortEntry 1 }
ipSecL4PortPortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"Specifies a layer 4 port or the first layer 4 port number of a
range of ports."
::= { ipSecL4PortEntry 2 }
ipSecL4PortPortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"Specifies the last layer 4 source port in the range. If a range of
ports is not being used then this object must have a value of 0.
Otherwise, this value should be greater than that specified by
ipSecSelectorSrcPortMin."
::= { ipSecL4PortEntry 3 }
ipSecL4PortGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specifies the group this port or range of ports belongs to."
::= { ipSecL4PortEntry 4 }
Li, et al Expires January, 2000 12
IPsec Policy Information Base October, 2000
--
--
-- The ipSecSelectorTable
--
ipSecSelectorTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPsec address selector table. Each row in the selector
table represents multiple selectors. These selectors are obtained as
follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four fields
together with the ipSecSelectorProtocol attribute to form all the
five-tuple selectors
Selectors constructed from a row inherit all the other attributes of
the row (e.g., ipSecSelectorGranularity)."
INDEX { ipSecSelectorPrid }
UNIQUENESS {
ipSecSelectorSrcAddressGroupId,
ipSecSelectorSrcPortGroupId,
ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol,
ipSecSelectorGranularity,
ipSecSelectorOrder,
ipSecSelectorStartupCondition,
ipSecSelectorIsOriginator,
ipSecSelectorGroupId
}
::= { ipSecSelector 3 }
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecSelectorTable 1 }
Li, et al Expires January, 2000 13
IPsec Policy Information Base October, 2000
IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid PolicyInstanceId,
ipSecSelectorSrcAddressGroupId PolicyTagReference,
ipSecSelectorSrcPortGroupId PolicyTagReference,
ipSecSelectorDstAddressGroupId PolicyTagReference,
ipSecSelectorDstPortGroupId PolicyTagReference,
ipSecSelectorProtocol INTEGER,
ipSecSelectorGranularity INTEGER,
ipSecSelectorOrder Unsigned32,
ipSecSelectorStartupCondition BITS,
ipSecSelectorIsOriginator TruthValue,
ipSecSelectorGroupId PolicyTagId
}
ipSecSelectorPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecAddressGroupId
STATUS current
DESCRIPTION
"Specifies source addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId match this value are included as source
addresses."
::= { ipSecSelectorEntry 2 }
ipSecSelectorSrcPortGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecL4PortGroupId
STATUS current
DESCRIPTION
"Specifies source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecAddressGroupId
STATUS current
DESCRIPTION
"Specifies destination addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId match this value are included as
destination addresses."
::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
Li, et al Expires January, 2000 14
IPsec Policy Information Base October, 2000
PIB-TAG ipSecL4PortGroupId
STATUS current
DESCRIPTION
"Specifies destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255)
STATUS current
DESCRIPTION
"Specifies IP protocol to match against the packet's protocol. A
value of zero means match all"
::= { ipSecSelectorEntry 6 }
ipSecSelectorGranularity OBJECT-TYPE
SYNTAX INTEGER {
wide(1),
narrow(2)
}
STATUS current
DESCRIPTION
"Specifies how the security associations established may be used.
A value of 1 (Wide) indicates that this security association may be
used by all packets that match the same selector that is matched by
the packet triggering the establishment of this association.
A value of 2 (Narrow) indicates that this security association can be
used only by packets that have exactly the same selector attribute
values as that of the packet triggering the establishment of this
association."
::= { ipSecSelectorEntry 7 }
ipSecSelectorOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the selectors
within the ipSecSelectorGroup. A given precedence order is
positioned before one with a higher-valued precedence order. All
selectors constructed from the same row have the same order. The
position of selectors with the same order is unspecified."
::= { ipSecSelectorEntry 8 }
ipSecSelectorStartupCondition OBJECT-TYPE
SYNTAX BITS {
onBoot(1),
onTraffic(2),
onPolicy(3)
}
STATUS current
DESCRIPTION
"Specifies the triggering event that causes the rule that references
this selector to be applied. OnBoot (1) means that the rule is
Li, et al Expires January, 2000 15
IPsec Policy Information Base October, 2000
triggered after system boot. This selector is used as the selector for
the IPsec action. OnTraffic (2) means that the rule is triggered when
packets without associated security associations are sent or received.
This selector is used as the selector for the IPsec action. OnPolicy
(3) means that the rule is triggered when it becomes valid as specified
by ipSecRuleTimePeriodGroupTable. This selector is used as the
selector for the IPsec action."
::= { ipSecSelectorEntry 9 }
ipSecSelectorIsOriginator OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy
(3) and when IPsec associations need to be set up, this PEP should
initiate the establishment if this attribute is True. Otherwise, it
should wait for the other end to initiate the setup."
::= { ipSecSelectorEntry 10 }
ipSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specify the group this selector(s) belongs to. Selectors in the
same group are provided with the same IPsec services."
::= { ipSecSelectorEntry 11 }
--
--
-- The ipSecRuleTable
--
ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPsec rules. "
INDEX { ipSecRulePrid }
UNIQUENESS {
ipSecRuleRoles,
ipSecRuleDirection,
ipSecRuleipSecSelectorGroupId,
ipSecRuleIpSecActionGroupId,
ipSecRuleIpSecRuleTimePeriodGroupId
}
::= { ipSecAssociation 4 }
ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 16
IPsec Policy Information Base October, 2000
"Specifies an instance of this class"
::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid PolicyInstanceId,
ipSecRuleRoles RoleCombination,
ipSecRuleDirection INTEGER,
ipSecRuleIpSecSelectorGroupId PolicyTagReference,
ipSecRuleIpSecActionGroupId PolicyTagReference,
ipSecRuleIpSecRuleTimePeriodGroupId PolicyTagReference
}
ipSecRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecRuleEntry 1 }
ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination
STATUS current
DESCRIPTION
"Specifies the role combinations of the interface to which this
IPSec rule should apply."
::= { ipSecRuleEntry 2 }
ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER {
in(1),
out(2),
bi-directional(3)
}
STATUS current
DESCRIPTION
"Specifies the direction of traffic to which this rule should
apply."
::= { ipSecRuleEntry 3 }
ipSecRuleIpSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecSelectorGroupId
STATUS current
DESCRIPTION
"Identifies the selectors to be associated with this IPSec rule. The
selectors in the ipSecSelectorTable whose ipSecSelectorGroupId
matches this attribute are provided with the IPSec services
specified by this rule."
::= { ipSecRuleEntry 4 }
ipSecRuleIpSecActionGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecActionActionGroupId
Li, et al Expires January, 2000 17
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"This attribute identifies the IPsec action groups that is
associated with this rule. All actions specified in ipSecActionTable
whose ipSecActionActionGroupId match the value of this attribute
must be applied. "
::= { ipSecRuleEntry 5 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current
DESCRIPTION
"This attribute identifies an IPsec rule time period group,
specified in ipSecRuleTimePeriodGroupTable, that is associated with
this rule
A value of zero indicates that this IPsec rule is always valid until
being deleted."
::= { ipSecRuleEntry 6 }
--
--
-- The ipSecActionTable
--
ipSecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPsec action."
INDEX { ipSecActionPrid }
UNIQUENESS {
ipSecActionAction,
ipSecActionTunnelEndpointId,
ipSecActionDfHandling,
ipSecActionDoLogging,
ipSecActionIpSecSecurityAssociationId,
ipSecActionActionGroupId,
ipSecActionOrder,
ipSecActionIkeRuleId
}
::= { ipSecAssociation 5 }
ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecActionTable 1 }
Li, et al Expires January, 2000 18
IPsec Policy Information Base October, 2000
IpSecActionEntry ::= SEQUENCE {
ipSecActionPrid PolicyInstanceId,
ipSecActionAction INTEGER,
ipSecActionTunnelEndpointId PolicyReferenceId,
ipSecActionDfHandling INTEGER,
ipSecActionDoLogging TruthValue,
ipSecActionIpSecSecurityAssociationId PolicyReferenceId,
ipSecActionActionGroupId PolicyTagId,
ipSecActionOrder Unsigned32,
ipSecActionIkeRuleId PolicyReferenceId
}
ipSecActionPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecActionEntry 1 }
ipSecActionAction OBJECT-TYPE
SYNTAX INTEGER {
byPass(1),
discard(2),
transport(3),
tunnel(4)
}
STATUS current
DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. ByPass(1)
means that the packet should pass in clear. Discard(2) means that
the packet should be denied. Transport(3) means that the packet
should be protected with a security association in transport mode.
Tunnel(4) means that the packet should be protected with a security
association in tunnel mode. If Tunnel (4) is specified,
ipSecActionTunnelEndpointId must also be specified"
::= { ipSecActionEntry 2 }
ipSecActionTunnelEndpointId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAddressTable
STATUS current
DESCRIPTION
"When ipSecActionAction is Tunnel, this attribute specifies the IP
address of the other end of the tunnel. The address specified in
ipSecAddressTable whose ipSecAddressPrid matches this value is the
other end of the tunnel. When ipSecActionAction is not tunnel, this
attribute should be ignored. "
::= { ipSecActionEntry 3 }
ipSecActionDfHandling OBJECT-TYPE
SYNTAX INTEGER {
copy(1),
set(2),
Li, et al Expires January, 2000 19
IPsec Policy Information Base October, 2000
clear(3)
}
STATUS current
DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies how the
DF bit is managed by the tunnel when ipSecActionAction is tunnel.
Copy (1) indicates that the DF bit is copied. Set (2) indicates that
the DF bit is set. Clear (3) indicates that the DF bit is cleared.
When ipSecActionAction is not tunnel, this attribute should be
ignored. "
::= { ipSecActionEntry 4 }
ipSecActionDoLogging OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies if an audit message should be logged when discard action
is taken."
::= { ipSecActionEntry 5 }
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAssociationTable
STATUS current
DESCRIPTION
"An integer that identifies an IPSec association, specified in
ipSecSecurityAssociationTable, that is associated with this action.
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute must have a value of zero. Otherwise, its value
must be greater than zero."
::= { ipSecActionEntry 6 }
ipSecActionActionGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specifies the group this action belongs to. When ipSecActionAction
is bypass or discard, this attribute must be zero. Otherwise, this
attribute must be greater than zero."
::= { ipSecActionEntry 7 }
ipSecActionOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the order the actions in this group be applied. An action
with a lower order number is applied before one with a higher order
number. "
::= { ipSecActionEntry 8 }
ipSecActionIkeRuleId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecIkeRuleTable
Li, et al Expires January, 2000 20
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"An integer that identifies an IKE rule, specified in
ipSecIkeRuleTable, that is associated with this IPsec rule.
A value of zero means that there is no IKE rule associated."
::= { ipSecActionEntry 9 }
--
--
-- The ipSecAssociationTable
--
ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes associated with IPsec associations"
INDEX { ipSecAssociationPrid }
UNIQUENESS {
ipSecAssociationRefreshThresholdSeconds,
ipSecAssociationRefreshThresholdKilobytes,
ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationTrafficIdleTime,
ipSecAssociationUsePfs,
ipSecAssociationUseIkeGroup,
ipSecAssociationDhGroup,
ipSecAssociationProposalSetId
}
::= { ipSecAssociation 6 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid PolicyInstanceId,
ipSecAssociationRefreshThresholdSeconds INTEGER,
ipSecAssociationRefreshThresholdKilobytes INTEGER,
ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned32,
ipSecAssociationTrafficIdleTime Unsigned32,
ipSecAssociationUsePfs TruthValue,
ipSecAssociationUseIkeGroup TruthValue,
ipSecAssociationDhGroup Unsigned32,
ipSecAssociationProposalSetId PolicyTagReference
}
Li, et al Expires January, 2000 21
IPsec Policy Information Base October, 2000
ipSecAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecAssociationEntry 1 }
ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration (in other words, the refresh
threshold) of an established SA's seconds lifetime at which to begin
renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecAssociationEntry 2 }
ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecAssociationEntry 3 }
ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be
accepted from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecAssociationEntry 4 }
ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted from
a negotiating peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecAssociationEntry 5 }
ipSecAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 22
IPsec Policy Information Base October, 2000
"Specifies the amount of time in seconds an SA may remain idle (in
other words, no traffic protected by the SA) before it is deleted.
A value of zero indicates that there is no idle time detection. The
expiration of the SA is determined by the expiration of one of the
lifetime values."
::= { ipSecAssociationEntry 6 }
ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If true, PFS should be used when negotiating the phase two IPsec
SA.
"
::= { ipSecAssociationEntry 7 }
ipSecAssociationUseIkeGroup OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If true, the phase two DH group number should be the same as that
of phase 1. Otherwise, the group number specified by the
ipSecSecurityAssociationDhGroup attribute should be used.
This attribute is ignored if ipSecSecurityAssociationUsePfs is
false."
::= { ipSecAssociationEntry 8 }
ipSecAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"If PFS should be used during IKE phase two and
ipSecSecurityAssociationUseIkeGroup is false, this attribute
specifies the Diffie-Hellman group to use.
This attribute is ignored if ipSecSecurityAssociationUsePfs is
false."
::= { ipSecAssociationEntry 9 }
ipSecAssociationProposalSetId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecProposalSetProposalSetId
STATUS current
DESCRIPTION
"An integer that identifies the IPsec proposal set, specified in
ipSecProposalGroupTable, that is associated with this IPsec
association."
::= { ipSecAssociationEntry 10 }
--
--
-- The ipSecProposalSetTable
--
Li, et al Expires January, 2000 23
IPsec Policy Information Base October, 2000
ipSecProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPsec proposal sets. Proposals within a set are ORed with
preference order."
INDEX { ipSecProposalSetPrid }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecAssociation 7 }
ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecProposalSetTable 1 }
IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalSetPrid PolicyInstanceId,
ipSecProposalSetProposalSetId PolicyTagId,
ipSecProposalSetProposalId PolicyReferenceId,
ipSecProposalSetOrder Unsigned32
}
ipSecProposalSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecProposalSetEntry 1 }
ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An integer that identifies an IPsec proposal set"
::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecProposalTable
STATUS current
DESCRIPTION
"An integer that identifies an IPsec Proposal, specified by
ipSecProposalTable, that is included in this set."
::= { ipSecProposalSetEntry 3 }
Li, et al Expires January, 2000 24
IPsec Policy Information Base October, 2000
ipSecProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given
precedence order is positioned before one with a higher-valued
precedence order."
::= { ipSecProposalSetEntry 4 }
--
--
-- The ipSecProposalTable
--
ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies an IPsec proposal. It has references to ESP, AH and
IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices are
ORed with preference order."
INDEX { ipSecProposalPrid }
UNIQUENESS {
ipSecProposalLifetimeKilobytes,
ipSecProposalLifetimeSeconds,
ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId
}
::= { ipSecAssociation 8 }
ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecProposalTable 1 }
IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid PolicyInstanceId,
ipSecProposalLifetimeKilobytes Unsigned32,
ipSecProposalLifetimeSeconds Unsigned32,
ipSecProposalEspTransformSetId PolicyTagReference,
ipSecProposalAhTransformSetId PolicyTagReference,
ipSecProposalCompTransformSetId PolicyTagReference
}
Li, et al Expires January, 2000 25
IPsec Policy Information Base October, 2000
ipSecProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecProposalEntry 1 }
ipSecProposalLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime."
::= { ipSecProposalEntry 2 }
ipSecProposalLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8
hours.
"
::= { ipSecProposalEntry 3 }
ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecEspTransformSetTransformSetId
STATUS current
DESCRIPTION
"An integer that identifies the ESP transform set, specified in
ipSecEspTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 4 }
ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecAhTransformSetTransformSetId
STATUS current
DESCRIPTION
"An integer that identifies the AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 5 }
ipSecProposalCompTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecCompTransformSetTransformId
STATUS current
DESCRIPTION
"An integer that identifies the IPComp transform set, specified in
ipSecCompTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 6 }
Li, et al Expires January, 2000 26
IPsec Policy Information Base October, 2000
--
--
-- The ipSecIkeAssociationTable
--
ipSecIkeAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes related to IKE associations."
INDEX { ipSecIkeAssociationPrid }
UNIQUENESS {
ipSecIkeAssociationRefreshThresholdSeconds,
ipSecIkeAssociationRefreshThresholdKilobytes,
ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes,
ipSecIkeAssociationTrafficIdleTime,
ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationRefreshThresholdDerivedKeys,
ipSecIkeAssociationIKEProposalSetId
}
::= { ipSecIkeAssociation 9 }
ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeAssociationTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeAssociationPrid PolicyInstanceId,
ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
ipSecIkeAssociationTrafficIdleTime Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER,
ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
ipSecIkeAssociationIKEProposalSetId PolicyTagReference
}
ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeAssociationEntry 1 }
ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE
Li, et al Expires January, 2000 27
IPsec Policy Information Base October, 2000
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration (in other words, the refresh
threshold) of an established SA's seconds lifetime at which to begin
renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be
accepted from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecIkeAssociationEntry 4 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted from
a negotiating peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecIkeAssociationEntry 5 }
ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle (in
other words, no traffic protected by the SA) before it is deleted.
A value of zero indicates that there is no idle time detection. The
expiration of the SA is determined by the expiration of one of the
lifetime values.
Li, et al Expires January, 2000 28
IPsec Policy Information Base October, 2000
"
::= { ipSecIkeAssociationEntry 6 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX INTEGER {
baseMode(1),
mainMode(2),
aggressiveMode(4)
}
STATUS current
DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for
phase one. "
::= { ipSecIkeAssociationEntry 7 }
ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established IKE SA's
derived keys lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
derived key lifetime value has expired. "
::= { ipSecIkeAssociationEntry 8 }
ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecIkeProposalSetProposalSetId
STATUS current
DESCRIPTION
"An integer that identifies the IKE proposal set, specified in
ipSecIkeProposalGroupTable, that is associated with this IKE
association."
::= { ipSecIkeAssociationEntry 9 }
--
--
-- The ipSecIkeRuleTable
--
ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IKE rule."
INDEX { ipSecIkeRulePrid }
UNIQUENESS {
ipSecIkeRuleRoles,
ipSecIkeRuleIkeAssiciationId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId,
Li, et al Expires January, 2000 29
IPsec Policy Information Base October, 2000
ipSecIkeRuleIkeEndpointGroupId
}
::= { ipSecIkeAssociation 10 }
ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeRuleTable 1 }
IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid PolicyInstanceId,
ipSecIkeRuleRoles RoleCombination,
ipSecIkeRuleIkeAssiciationId PolicyReferenceId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId PolicyTagReference,
ipSecIkeRuleIkeEndpointGroupId PolicyTagReference
}
ipSecIkeRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleRoles OBJECT-TYPE
SYNTAX RoleCombination
STATUS current
DESCRIPTION
"Specifies the role combinations of the interface to which this IKE
rule should apply."
::= { ipSecIkeRuleEntry 2 }
ipSecIkeRuleIkeAssiciationId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecIkeAssociationTable
STATUS current
DESCRIPTION
"This attribute identifies the IKE action, specified in
ipSecIkeAssociationTable, that is associated with this rule"
::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current
DESCRIPTION
"This attribute identifies an IPsec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated with
this IKE rule
Li, et al Expires January, 2000 30
IPsec Policy Information Base October, 2000
A value of zero indicates that this IKE rule is always valid until
being deleted."
::= { ipSecIkeRuleEntry 4 }
ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecIkeEndpointGroupId
STATUS current
DESCRIPTION
"An integer that identifies a group of endpoints with which this PEP
may set up IKE associations. The endpoints specified in
ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
attribute are the endpoints involved. "
::= { ipSecIkeRuleEntry 5 }
--
--
-- The ipSecIkeProposalSetTable
--
ipSecIkeProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. "
INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS {
ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder
}
::= { ipSecIkeAssociation 11 }
ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE {
ipSecIkeProposalSetPrid PolicyInstanceId,
ipSecIkeProposalSetProposalSetId PolicyTagId,
ipSecIkeProposalSetProposalId PolicyReferenceId,
ipSecIkeProposalSetOrder Unsigned32
}
ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
Li, et al Expires January, 2000 31
IPsec Policy Information Base October, 2000
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalSetEntry 1 }
ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An integer that uniquely identifies an IKE proposal set. "
::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecIkeProposalTable
STATUS current
DESCRIPTION
"An integer that identifies an IKE proposal, specified by the
ipSecIkeProposalTable, that is included in this set."
::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the proposal
identified by ipSecIkeProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecIkeProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given
precedence order is positioned before one with a higher-valued
precedence order."
::= { ipSecIkeProposalSetEntry 4 }
--
--
-- The ipSecIkeProposalTable
--
ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes associated with IKE proposals."
INDEX { ipSecIkeProposalPrid }
UNIQUENESS {
ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalLifetimeDerivedKeys,
ipSecIkeProposalPrfAlgorithm,
Li, et al Expires January, 2000 32
IPsec Policy Information Base October, 2000
ipSecIkeProposalIkeDhGroup
}
::= { ipSecIkeAssociation 12 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid PolicyInstanceId,
ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
ipSecIkeProposalCipherAlgorithm INTEGER,
ipSecIkeProposalHashAlgorithm INTEGER,
ipSecIkeProposalAuthenticationMethod INTEGER,
ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
ipSecIkeProposalPrfAlgorithm Unsigned32,
ipSecIkeProposalIkeDhGroup Unsigned32
}
ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalEntry 1 }
ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8
hours. "
::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime. "
::= { ipSecIkeProposalEntry 3 }
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
des-CBC(1),
idea-CBC(2),
Li, et al Expires January, 2000 33
IPsec Policy Information Base October, 2000
blowfish-CBC(3),
rc5-R16-B64-CBC(4),
tripleDes-CBC(5),
cast-CBC(6)
}
STATUS current
DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE
association. "
::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
md5(1),
sha-1(2),
tiger(3)
}
STATUS current
DESCRIPTION
"Specifies the hash algorithm to propose for the IKE association."
::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER {
presharedKey(1),
dssSignatures(2),
rsaSignatures(3),
rsaEncryption(4),
revisedRsaEncryption(5),
kerberos(6)
}
STATUS current
DESCRIPTION
"Specifies the authentication method to propose for the IKE
association. "
::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the number of times the IKE phase one key may be used to
derive an IKE phase two key. A value of zero indicates that the
number of times an IKE phase one key may be used to derive an IKE
phase two key is limited by the seconds and/or kilobyte lifetimes. "
::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the Psuedo-Random Function (PRF) to propose for the IKE
association. "
Li, et al Expires January, 2000 34
IPsec Policy Information Base October, 2000
::= { ipSecIkeProposalEntry 8 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the Diffie-Hellman group to propose for the IKE
association. "
::= { ipSecIkeProposalEntry 9 }
--
--
-- The ipSecIkeEndpointTable
--
ipSecIkeEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeEndpointEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies the peer endpoints with which this PEP should establish
IKE associations according to ipSecIkeEndpointStartupCondition."
INDEX { ipSecIkeEndpointPrid }
UNIQUENESS {
ipSecIkeEndpointUseIkeIdentityType,
ipSecIkeEndpointIkeIdentityId,
ipSecIkeEndpointEndpointId,
ipSecIkeEndpointStartupCondition,
ipSecIkeEndpointIsOriginator,
ipSecIkeEndpointGroupId
}
::= { ipSecIkeAssociation 13 }
ipSecIkeEndpointEntry OBJECT-TYPE
SYNTAX IpSecIkeEndpointEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeEndpointTable 1 }
IpSecIkeEndpointEntry ::= SEQUENCE {
ipSecIkeEndpointPrid PolicyInstanceId,
ipSecIkeEndpointUseIkeIdentityType INTEGER,
ipSecIkeEndpointIkeIdentityId PolicyReferenceId,
ipSecIkeEndpointEndpointId PolicyReferenceId,
ipSecIkeEndpointStartupCondition BITS,
ipSecIkeEndpointIsOriginator TruthValue,
ipSecIkeEndpointGroupId PolicyTagId
}
ipSecIkeEndpointPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
Li, et al Expires January, 2000 35
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeEndpointEntry 1 }
ipSecIkeEndpointUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current
DESCRIPTION
"Specifies the IKE identity to use during negotiation."
::= { ipSecIkeEndpointEntry 2 }
ipSecIkeEndpointIkeIdentityId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAddressTable
STATUS current
DESCRIPTION
"An integer that identifies the IKE identity of the peer point. This
information is used during IKE negotiation. The type of this address
is specified by ipSecIkeEndpointIkeIdentityType. The address
specified in the ipSecAddressTable whose ipSecAddressPrid matches
this integer is the IKE identity. "
::= { ipSecIkeEndpointEntry 3 }
ipSecIkeEndpointEndpointId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAddressTable
STATUS current
DESCRIPTION
"Specifies an endpoint address with which this PEP may establish IKE
association. The address in the ipSecAddressTable whose
ipSecAddressPrid matches this value is the endpoint address. This
address must identify a single endpoint. Address ranges or subnet
addresses are not allowed "
::= { ipSecIkeEndpointEntry 4 }
ipSecIkeEndpointStartupCondition OBJECT-TYPE
SYNTAX BITS {
onBoot(1),
onTraffic(2),
onPolicy(3)
Li, et al Expires January, 2000 36
IPsec Policy Information Base October, 2000
}
STATUS current
DESCRIPTION
"Specifies the triggering event that causes the IKE rule referenced
be applied.OnBoot (1) means that the rule is triggered after system
boot. OnTraffic (2) means that the rule is triggered when packets
without associated security associations are sent or received.
OnPolicy (3) means that the rule is triggered when it becomes valid
as specified by ipSecRuleTimePeriodGroupTable. "
::= { ipSecIkeEndpointEntry 5 }
ipSecIkeEndpointIsOriginator OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If this attribute is true, when IKE associations need to be set
up, this PEP should initiate the establishment. Otherwise, it should
wait for the other end to initiate the setup."
::= { ipSecIkeEndpointEntry 6 }
ipSecIkeEndpointGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specifies the group this IKE endpoint belongs to."
::= { ipSecIkeEndpointEntry 7 }
--
--
-- The ipSecEspTransformSetTable
--
ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies an ESP transform group. Within a transform group, the
choices are ORed with preference order."
INDEX { ipSecEspTransformSetPrid }
UNIQUENESS {
ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransform 14 }
ipSecEspTransformSetEntry OBJECT-TYPE
SYNTAX IpSecEspTransformSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
Li, et al Expires January, 2000 37
IPsec Policy Information Base October, 2000
::= { ipSecEspTransformSetTable 1 }
IpSecEspTransformSetEntry ::= SEQUENCE {
ipSecEspTransformSetPrid PolicyInstanceId,
ipSecEspTransformSetTransformSetId PolicyTagId,
ipSecEspTransformSetTransformId PolicyReferenceId,
ipSecEspTransformSetOrder Unsigned32
}
ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformSetEntry 1 }
ipSecEspTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An integer that identifies a set of ESP transforms"
::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecEspTransformTable
STATUS current
DESCRIPTION
"An integer that identifies an ESP transform, specified by
ipSecEspTransformTable, that is included in this set."
::= { ipSecEspTransformSetEntry 3 }
ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the transform
identified by ipSecEspTransformSetTransformId within a transform
set. The transform set is identified by
ipSecEspTransformSetTransformSetId. Transforms within a set are ORed
with preference order. A given precedence order is positioned before
one with a higher-valued precedence order."
::= { ipSecEspTransformSetEntry 4 }
--
--
-- The ipSecEspTransformTable
--
ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry
PIB-ACCESS install
Li, et al Expires January, 2000 38
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"Specifies an ESP transform."
INDEX { ipSecEspTransformPrid }
UNIQUENESS {
ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId,
ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength
}
::= { ipSecEspTransform 15 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid PolicyInstanceId,
ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER,
ipSecEspTransformCipherKeyRounds Unsigned32,
ipSecEspTransformCipherKeyLength Unsigned32
}
ipSecEspTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER {
none(0),
hmacMd5(1),
hmacSha(2),
desMac(3),
kpdk(4)
}
STATUS current
DESCRIPTION
"Specifies the ESP integrity algorithm to propose."
::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER {
desIV64(1),
des(2),
tripleDES(3),
rc5(4),
Li, et al Expires January, 2000 39
IPsec Policy Information Base October, 2000
idea(5),
cast(6),
blowfish(7),
tripleIDEA(8),
desIV32(9),
rc4(10),
null(11)
}
STATUS current
DESCRIPTION
"Specifies the ESP cipher/encryption algorithm to propose.
"
::= { ipSecEspTransformEntry 3 }
ipSecEspTransformCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the number of key rounds for the ESP cipher
algorithm specified by the attribute
ipSecEspTransformCipherTransformId. "
::= { ipSecEspTransformEntry 4 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the length of the ESP cipher key in bits. "
::= { ipSecEspTransformEntry 5 }
--
--
-- The ipSecAhTransformSetTable
--
ipSecAhTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies an AH transform set. Within a transform set, the choices
are ORed with preference order."
INDEX { ipSecAhTransformSetPrid }
UNIQUENESS {
ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
}
::= { ipSecAhTransform 16 }
ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry
Li, et al Expires January, 2000 40
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAhTransformSetTable 1 }
IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformSetPrid PolicyInstanceId,
ipSecAhTransformSetTransformSetId PolicyTagId,
ipSecAhTransformSetTransformId PolicyReferenceId,
ipSecAhTransformSetOrder Unsigned32
}
ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecAhTransformSetEntry 1 }
ipSecAhTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An integer that identifies an AH transform set."
::= { ipSecAhTransformSetEntry 2 }
ipSecAhTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAhTransformTable
STATUS current
DESCRIPTION
"An integer that identifies an AH transform, as specified in
ipSecAhTransformTable, that is included in this set."
::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform set.
The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are ORed
with preference order. A given precedence order is positioned before
one with a higher-valued precedence order."
::= { ipSecAhTransformSetEntry 4 }
--
--
-- The ipSecAhTransformTable
--
Li, et al Expires January, 2000 41
IPsec Policy Information Base October, 2000
ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies an AH transform"
INDEX { ipSecAhTransformPrid }
UNIQUENESS {
ipSecAhTransformTransformId
}
::= { ipSecAhTransform 17 }
ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAhTransformTable 1 }
IpSecAhTransformEntry ::= SEQUENCE {
ipSecAhTransformPrid PolicyInstanceId,
ipSecAhTransformTransformId INTEGER
}
ipSecAhTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class "
::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER {
md5(2),
sha-1(3),
des(4)
}
STATUS current
DESCRIPTION
"Specifies the AH hash algorithm to propose"
::= { ipSecAhTransformEntry 2 }
--
--
-- The ipSecCompTransformSetTable
--
ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 42
IPsec Policy Information Base October, 2000
"Specifies an IPComp transform set. Within a transform set, the
choices are ORed with preference order."
INDEX { ipSecCompTransformSetPrid }
UNIQUENESS {
ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder
}
::= { ipSecCompTransform 18 }
ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCompTransformSetTable 1 }
IpSecCompTransformSetEntry ::= SEQUENCE {
ipSecCompTransformSetPrid PolicyInstanceId,
ipSecCompTransformSetTransformSetId PolicyTagId,
ipSecCompTransformSetTransformId PolicyReferenceId,
ipSecCompTransformSetOrder Unsigned32
}
ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformSetEntry 1 }
ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An integer that identifies an IPComp transform set"
::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecCompTransformTable
STATUS current
DESCRIPTION
"An integer that identifies an IPComp Transform, specified by
ipSecCompTransformTable, that is included in this set."
::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform
Li, et al Expires January, 2000 43
IPsec Policy Information Base October, 2000
set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A given precedence order is positioned
before one with a higher-valued precedence order."
::= { ipSecCompTransformSetEntry 4 }
--
--
-- The ipSecCompTransformTable
--
ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies an IPComp transform."
INDEX { ipSecCompTransformPrid }
UNIQUENESS {
ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm
}
::= { ipSecCompTransform 19 }
ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid PolicyInstanceId,
ipSecCompTransformAlgorithm INTEGER,
ipSecCompTransformDictionarySize Unsigned32,
ipSecCompTransformPrivateAlgorithm Unsigned32
}
ipSecCompTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
oui(1),
deflate(2),
lzs(3)
}
Li, et al Expires January, 2000 44
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"Specifies the IPComp compression algorithm to propose."
::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the log2 maximum size of the dictionary."
::= { ipSecCompTransformEntry 3 }
ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies a specific vendor algorithm that will be used. "
::= { ipSecCompTransformEntry 4 }
--
--
-- The ipSecRuleTimePeriodTable
--
ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies the time periods during which a policy rule is valid. The
values of the first five attributes in a row are ANDed together to
determine the validity period(s). If any of the five attributes is
not present, it is treated as having value always enabled. "
INDEX { ipSecRuleTimePeriodPrid }
UNIQUENESS {
ipSecRuleTimePeriodTimePeriod,
ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask,
ipSecRuleTimePeriodLocalOrUtcTime
}
::= { ipSecPolicyTimePeriod 20 }
ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTimePeriodTable 1 }
IpSecRuleTimePeriodEntry ::= SEQUENCE {
Li, et al Expires January, 2000 45
IPsec Policy Information Base October, 2000
ipSecRuleTimePeriodPrid PolicyInstanceId,
ipSecRuleTimePeriodTimePeriod OCTET STRING,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
ipSecRuleTimePeriodLocalOrUtcTime INTEGER
}
ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 }
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that identifies an overall range of calendar dates
and times over which a policy rule is valid. It reuses the format
for an explicit time period defined in RFC 2445 : a string
representing a starting date and time, in which the character 'T'
indicates the beginning of the time portion, followed by the solidus
character '/', followed by a similar string representing an end date
and time. The first date indicates the beginning of the range,
while the second date indicates the end. Thus, the second date and
time must be later than the first. Date/times are expressed as
substrings
of the form yyyymmddThhmmss.
There are also two special cases:
- If the first date/time is replaced with the string THISANDPRIOR,
then the property indicates that a policy rule is valid [from now]
until the date/time that appears after the '/'.
- If the second date/time is replaced with the string THISANDFUTURE,
then the property indicates that a policy rule becomes valid on the
date/time that appears before the '/', and remains valid from that
point on. "
::= { ipSecRuleTimePeriodEntry 2 }
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies which months the policy is valid
for. The octet string is structured as follows:
Li, et al Expires January, 2000 46
IPsec Policy Information Base October, 2000
- a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x00000006 for this property;
- a 2-octet field consisting of 12 bits identifying the 12 months of
the year, beginning with January and ending with December, followed
by 4 bits that are always set to '0'. For each month, the value '1'
indicates that the policy is valid for that month, and the value '0'
indicates that it is not valid.
If this property is omitted, then the policy rule is treated as
valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies which days of the month the policy
is valid for. The octet string is structured as follows:
-a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x0000000C for this property;
-an 8-octet field consisting of 31 bits identifying the days of the
month counting from the beginning, followed by 31 more bits
identifying the days of the month counting from the end, followed by
2 bits that are always set to '0'. For each day, the value '1'
indicates that the policy is valid for that day, and the value '0'
indicates that it is not valid.
For months with fewer than 31 days, the digits corresponding to days
that the months do not have (counting in both directions) are
ignored. "
::= { ipSecRuleTimePeriodEntry 4 }
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies which days of the week the policy is
valid for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x00000005 for this property;
- a 1-octet field consisting of 7 bits identifying the 7 days of the
week, beginning with Sunday and ending with Saturday, followed by 1
bit that is always set to '0'. For each day of the week, the value
'1' indicates that the policy is valid for that day, and the value
'0' indicates that it is not valid. "
::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
Li, et al Expires January, 2000 47
IPsec Policy Information Base October, 2000
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies a range of times in a day the policy
is valid for. It is formatted as follows:
A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The first
time indicates the beginning of the range, while the second time
indicates the end. Times are expressed as substrings of the form
Thhmmss.
The second substring always identifies a later time than the first
substring. To allow for ranges that span midnight, however, the
value of the second string may be smaller than the value of the
first substring. Thus, T080000/T210000 identifies the range from
0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day.
"
::= { ipSecRuleTimePeriodEntry 6 }
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER {
localTime(1),
utcTime(2)
}
STATUS current
DESCRIPTION
"This property indicates whether the times represented in this table
represent local times or UTC times. There is no provision for
mixing of local times and UTC times: the value of this property
applies to all of the other time-related properties. "
::= { ipSecRuleTimePeriodEntry 7 }
--
--
-- The ipSecRuleTimePeriodSetTable
--
ipSecRuleTimePeriodSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies mutiple time period sets. The ipSecRuleTimePeriodTable
can specifie only a single time period within a day. This table
enables the specificaiton of multiple time periods within a day by
grouping them into one set. "
INDEX { ipSecRuleTimePeriodSetPrid }
UNIQUENESS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId
}
Li, et al Expires January, 2000 48
IPsec Policy Information Base October, 2000
::= { ipSecPolicyTimePeriod 21 }
ipSecRuleTimePeriodSetEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTimePeriodSetTable 1 }
IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
ipSecRuleTimePeriodSetPrid PolicyInstanceId,
ipSecRuleTimePeriodSetRuleTimePeriodSetId PolicyTagId,
ipSecRuleTimePeriodSetRuleTimePeriodId PolicyReferenceId
}
ipSecRuleTimePeriodSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodSetEntry 1 }
ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod set. "
::= { ipSecRuleTimePeriodSetEntry 2 }
ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecRuleTimePeriod
STATUS current
DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by the
ipSecRuleTimePeriodTable, that is included in this set."
::= { ipSecRuleTimePeriodSetEntry 3 }
--
--
-- Conformance Section
--
ipSecPolicyPibConformanceCompliances
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
ipSecPolicyPibConformanceGroups
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
IPSecPibCompilance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 49
IPsec Policy Information Base October, 2000
" Compliance statement"
MODULE MANDATORY-GROUPS {
ipSecAddressGroup,
ipSecL4PortGroup,
ipSecSelectorGroup,
ipSecRuleGroup,
ipSecActionGroup,
ipSecAssociationGroup,
ipSecProposalSetGroup,
ipSecProposalGroup,
ipSecIkeAssociationGroup,
ipSecIkeRuleGroup,
ipSecIkeProposalSetGroup,
ipSecIkeProposalGroup,
ipSecIkeEndpointGroup,
ipSecEspTransformSetGroup,
ipSecEspTransformGroup,
ipSecAhTransformSetGroup,
ipSecAhTransformGroup,
ipSecCompTransformSetGroup,
ipSecCompTransformGroup,
}
GROUP ipSecRuleTimePeriodGroup
DESCRIPTION
"The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is
supported."
GROUP ipSecRuleTimePeriodSetGroup
DESCRIPTION
"The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling
is supported."
::= { ipSecPolicyPibConformanceCompliances 1 }
ipSecAddressGroup OBJECT-GROUP
OBJECTS {
AddressType,
AddrMask,
AddrMin,
AddrMax,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecAddressTable."
::= { ipSecPolicyPibConformanceGroups 1 }
ipSecL4PortGroup OBJECT-GROUP
OBJECTS {
PortMin,
PortMax,
GroupId
}
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 50
IPsec Policy Information Base October, 2000
" Objects from the ipSecL4PortTable."
::= { ipSecPolicyPibConformanceGroups 2 }
ipSecSelectorGroup OBJECT-GROUP
OBJECTS {
SrcAddressGroupId,
SrcPortGroupId,
DstAddressGroupId,
DstPortGroupId,
Protocol,
Granularity,
Order,
StartupCondition,
IsOriginator,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecSelectorTable."
::= { ipSecPolicyPibConformanceGroups 3 }
ipSecRuleGroup OBJECT-GROUP
OBJECTS {
Roles,
Direction,
ipSecSelectorGroupId,
IpSecActionGroupId,
IpSecRuleTimePeriodGroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecRuleTable."
::= { ipSecPolicyPibConformanceGroups 4 }
ipSecActionGroup OBJECT-GROUP
OBJECTS {
Action,
TunnelEndpointId,
DfHandling,
DoLogging,
IpSecSecurityAssociationId,
ActionGroupId,
Order,
IkeRuleId
}
STATUS current
DESCRIPTION
" Objects from the ipSecActionTable."
::= { ipSecPolicyPibConformanceGroups 5 }
ipSecAssociationGroup OBJECT-GROUP
OBJECTS {
RefreshThresholdSeconds,
RefreshThresholdKilobytes,
MinLifetimeSeconds,
MinLifetimeKilobytes,
TrafficIdleTime,
Li, et al Expires January, 2000 51
IPsec Policy Information Base October, 2000
UsePfs,
UseIkeGroup,
DhGroup,
ProposalSetId
}
STATUS current
DESCRIPTION
" Objects from the ipSecSecurityAssociationTable."
::= { ipSecPolicyPibConformanceGroups 6 }
ipSecProposalSetGroup OBJECT-GROUP
OBJECTS {
ProposalSetId,
ProposalId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 7 }
ipSecProposalGroup OBJECT-GROUP
OBJECTS {
LifetimeKilobytes,
LifetimeSeconds,
EspTransformSetId,
AhTransformSetId,
CompTransformSetId
}
STATUS current
DESCRIPTION
" Objects from the ipSecProposalTable."
::= { ipSecPolicyPibConformanceGroups 8 }
ipSecIkeAssociationGroup OBJECT-GROUP
OBJECTS {
RefreshThresholdSeconds,
RefreshThresholdKilobytes,
MinLiftetimeSeconds,
MinLifetimeKilobytes,
TrafficIdleTime,
ExchangeMode,
RefreshThresholdDerivedKeys,
IKEProposalSetId
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeAssociationTable."
::= { ipSecPolicyPibConformanceGroups 9 }
ipSecIkeRuleGroup OBJECT-GROUP
OBJECTS {
Roles,
IkeAssiciationId,
IpSecRuleTimePeriodGroupId,
IkeEndpointGroupId
}
Li, et al Expires January, 2000 52
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
" Objects from the ipSecIkeRuleTable."
::= { ipSecPolicyPibConformanceGroups 10 }
ipSecIkeProposalSetGroup OBJECT-GROUP
OBJECTS {
ProposalSetId,
ProposalId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 11 }
ipSecIkeProposalGroup OBJECT-GROUP
OBJECTS {
MaxLifetimeSeconds,
MaxLifetimeKilobytes,
CipherAlgorithm,
HashAlgorithm,
AuthenticationMethod,
LifetimeDerivedKeys,
PrfAlgorithm,
IkeDhGroup
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeProposalTable."
::= { ipSecPolicyPibConformanceGroups 12 }
ipSecIkeEndpointGroup OBJECT-GROUP
OBJECTS {
UseIkeIdentityType,
IkeIdentityId,
EndpointId,
StartupCondition,
IsOriginator,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeEndpointTable."
::= { ipSecPolicyPibConformanceGroups 13 }
ipSecEspTransformSetGroup OBJECT-GROUP
OBJECTS {
TransformSetId,
TransformId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecEspTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 14 }
ipSecEspTransformGroup OBJECT-GROUP
Li, et al Expires January, 2000 53
IPsec Policy Information Base October, 2000
OBJECTS {
IntegrityTransformId,
CipherTransformId,
CipherKeyRounds,
CipherKeyLength
}
STATUS current
DESCRIPTION
" Objects from the ipSecEspTransformTable."
::= { ipSecPolicyPibConformanceGroups 15 }
ipSecAhTransformSetGroup OBJECT-GROUP
OBJECTS {
TransformSetId,
TransformId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecAhTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 16 }
ipSecAhTransformGroup OBJECT-GROUP
OBJECTS {
TransformId
}
STATUS current
DESCRIPTION
" Objects from the ipSecAhTransformTable."
::= { ipSecPolicyPibConformanceGroups 17 }
ipSecCompTransformSetGroup OBJECT-GROUP
OBJECTS {
TransformSetId,
TransformId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecCompTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 18 }
ipSecCompTransformGroup OBJECT-GROUP
OBJECTS {
Algorithm,
DictionarySize,
PrivateAlgorithm
}
STATUS current
DESCRIPTION
" Objects from the ipSecCompTransformTable."
::= { ipSecPolicyPibConformanceGroups 19 }
ipSecRuleTimePeriodGroup OBJECT-GROUP
OBJECTS {
TimePeriod,
MonthOfYearMask,
DayOfMonthMask,
Li, et al Expires January, 2000 54
IPsec Policy Information Base October, 2000
DayOfWeekMask,
TimeOfDayMask,
LocalOrUtcTime
}
STATUS current
DESCRIPTION
" The ipSecRuleTimePeriodGroup is mandatory if policy scheduling
is supported."
::= { ipSecPolicyPibConformanceGroups 20 }
ipSecRuleTimePeriodSetGroup OBJECT-GROUP
OBJECTS {
RuleTimePeriodSetId,
RuleTimePeriodId
}
STATUS current
DESCRIPTION
" The ipSecRuleTimePeriodSetGroup is mandatory if policy
scheduling is supported."
::= { ipSecPolicyPibConformanceGroups 21 }
END
8. Security Considerations
Since COPS is used to carry the PIB defined in this document, the
security and protection of the information can be provided by either
COPS or a combination of COPS and other security protocols,
e.g.,IPsec or TLS.
9. References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997
[AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998.
[ARCH] S. Kent, R. Atkinson, "Security Architecture for the Internet
Protocol", RFC 2401, November 1998.
[ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and
Scheduling Core Object Specification (iCalendar)", RFC 2445,
November 1998.
Li, et al Expires January, 2000 55
IPsec Policy Information Base October, 2000
[COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748,
January 2000.
[COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000.
[DOI] D. Piper, "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998.
[ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998.
[FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
Smith, F. Reichmeyer "Framework Policy Information Base", Internet
Draft , March 2000.
[IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC
2409, November 1998.
[IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
Compression Protocol (IPComp)", RFC 2393, August 1998.
[IPSEC-IM] J. Jason,"IPSec Configuration Policy Model,"draft-ietf-
ipsp-config-policy-model-00.txt, march 2000.
[ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner, "Internet
Security Association and Key Management Protocol (ISAKMP)", RFC
2408, November 1998.
[PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
Model -- Version 1 Specification", draft-ietf-policy-core-info-
model-06.txt, May, 2000.
[SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning
Information," draft-ietf-rap-sppi-01.txt, July 2000.
7. Author's Addresses
Man Li
Nokia
5 Wayside Road,
Burlington, MA 01803
Phone: +1 781 993 3923
Email: man.m.li@nokia.com
David Arneson
Email: dla@mediaone.net
Li, et al Expires January, 2000 56
IPsec Policy Information Base October, 2000
Avri Doria
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821
Phone: +1 401 663 5024
Email: avri@nortelnetworks.com
Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
Phone: +1 503 264 9531
E-Mail: jamie.jason@intel.com
Cliff Wang
SmartPipes Inc.
Suite 300, 565 Metro Place South
Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com
Li, et al Expires January, 2000 57
IPsec Policy Information Base October, 2000
Full Copyright Statement
"Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into.
Li, et al Expires January, 2000 58
| PAFTECH AB 2003-2026 | 2026-04-23 09:49:42 |